Heartbleed bug *can* expose private SSL keys

At the end of last week, engineers at CloudFlare said that they had been unable to exploit the Heartbleed bug to steal SSL keys from a server:

We’ve spent much of the time running extensive tests to figure out what can be exposed via Heartbleed and, specifically, to understand if private SSL key data was at risk.

Here’s the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data.

So, they set the internet a challenge - putting a test server online and inviting people to try to grab its private server keys by exploiting the so-called Heartbleed vulnerability in OpenSSL.

This site was created by CloudFlare engineers to be intentionally vulnerable to heartbleed. It is not running behind CloudFlare’s network. We encourage everyone to attempt to get the private key from this website. If someone is able to steal the private key from this site using heartbleed, we will post the full details here.

Well, they soon got an answer. And it wasn't the good news we might have all wished for.

Within hours, software engineer Fedor Indutny was revealed to have recovered the private keys from the web server.

Indutny claimed on Twitter that it took a script he wrote for the purpose took just three hours to hunt down the private SSL key.

CloudFlare confirmed Indutny's success, and speculated that because they had rebooted the server at one point that might have contributed to the challenger's successful exfiltration of their server's secret key.

One thing is clear. If you administer a server and have so far put off revoking and reissuing your SSL certificates, it might be time to think again.

If you don't, you could be putting your users and online customers in jeopardy.

Subscribe to the free GCHQ newsletter

Over 75,000 people follow Graham Cluley for news and
advice about computer security and internet privacy.

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and gives presentations on the topic of computer security and online privacy.
Follow him on Twitter at @gcluley, Google Plus, Facebook, or drop him an email.

Leave a reply

Yes.. and interestingly, BBC reports _this_ (today I guess – when I saw it anyway):

A leading UK site for parents and the Canadian tax authority have both announced they have had data stolen by hackers exploiting the Heartbleed bug.

Mumsnet – which says it has 1.5 million registered members – said that it believed that the cyber thieves may have obtained passwords and personal messages before it patched its site.

and

The Canada Revenue Agency said that 900 people's social insurance numbers had been stolen.

I cannot help but wonder why they were waiting around… then I snap back to what little reality I have and realise that most corporations, organisations and people in general do not take this type of thing seriously enough (I somehow doubt it was exploited right after it was made public … Mumsnet suggested that they found out last Friday). Especially shameful for the Canadian one, though (one can hope it isn't maybe the NSA that thought if they had social insurance numbers they could make use of it to prevent an ideal – terror etc. – just like everything else they do is given that reason)…

Either way, I guess both organisations will have to deal with it and that includes the major problems (misery and fear of consequences) for those it will affect (one can hope they both DO in fact take responsibility and address it appropriately).

0

| ReplyHide replies ∧

Stay informed with our free GCHQ newsletter

Over 75,000 people follow Graham Cluley for news and advice about computer security and internet privacy.